X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 17E193858C56
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1707182947;
	bh=0dUE6IzmWuBHgf8nlACY+owzdmyo4HIwXeYAHdTDqpw=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	From;
	b=KBGfWpfeDcqkUs+yJfSZG4yoVU/1UyL24/9L1C+nymMWNK9T9Vaw95Nimmjx/kxyC
	41g3l2idfSEQN9MdxURyevD2mbsOzRqK63FW5V66UVXgSDlyp77PNMwGH6vRZ28Omn
	+3S3G1AMSgBLPwedsIRN1hsUXLVdYKh5mNkPiEcE=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 6A9B63858D33
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org 6A9B63858D33
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707182924; cv=none;
	b=wfyQjyOoNTeBv6JjY7/rIRNxOhdKEmW8Y4YlJ+8AS5SKz8sqPwUlQ4zZU1fXpiLjjsTOF7hAsGug3kpDmqwPUfeoy0SNEhqUcRNLeK0gHOIQG0pPeFL4BbeSCKeXuO1IwpRgZT/dCKe2Gs0NuU5UjZ0Uxs3cAwBIh0UWFyqn0Vs=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1707182924; c=relaxed/simple;
	bh=iCITjdPwCeIWf139T4/h/lcG9JbW2XW+uQJTIbOBOI4=;
	h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From;
	b=ws1Z+PM1gFYiW8VEah3CfHD62t05e35jQquVdYEsYMJoRU4vw/F/tN2p71sKd6uOC6NWBSa1ulM8Vrs6nI0HwUcx+P94+QzwLYqM2sTNyLOATFw768//DG3T9HaXWMpYpEIoNoEKiEWwzrPwLRz9C0OQxuIokcmDQan99CZ8mmQ=
ARC-Authentication-Results:	i=1; server2.sourceware.org
X-UI-Sender-Class:	724b4f7f-cbec-4199-ad4e-598c01a50d3a
Message-ID:	<e10d1c13-b167-46b1-935d-edebcf307e9a@gmx.net>
Date:	Tue, 6 Feb 2024 02:28:41 +0100
MIME-Version:	1.0
User-Agent:	Mozilla Thunderbird
Subject:	Re: cygsshd fails due to bad ownership or modes of /cygdrive/c/Users
To:	cygwin AT cygwin DOT com
References:	<a2df2105-31b8-425c-a963-4ea98e2f2ffa AT f-us DOT de>
In-Reply-To:	<a2df2105-31b8-425c-a963-4ea98e2f2ffa@f-us.de>
X-Provags-ID:	V03:K1:WDTCnlWB8tMPl5BAw0OFgiH6mia4rpirKVXp/MKwy6b19ezk6Kq
	6LAIOx0f6exX+F6hYam/PV4wXEEEZrhFV6J+BjPEO+alHmHkTfUAbEj6VTuyy3JsXSTONGx
	54fcmTVGS0K9iM38yp9MPki2rJkJMTek0j5WBukM32ct63Q57RsRX+OFP9agWyKBLv8uRLD
	xv8xtKXJkzic8ZI+c9MlQ==
UI-OutboundReport:	notjunk:1;M01:P0:xxf2VM0SY/s=;YH3qD/Sw/aOBTeowWJ3TPlvUqgk
	I6KjZ6Q0XpTRuSubqidbnl1iuLbU2bVtrIJAo9uaT4AKOICw1Q45h0XIc/9gILfwW6U6CCA5H
	+QrckgnDNOFnKKouBK3kL3sEr4MsffXiOR7uqLuJvjFHcHMZakE51mlfgzhXmq/AiYRHeLprK
	H375w2RxrtOr8KH7IgjHKh4I1QJDWZ4Df2sXGUofduhEswoZLUZauqlNVm6tJbFQP+mmbPURb
	W5d5AZo9ozRgPjszwAanf7DqZdiGxbjOoRobUe2yI2V9KnPhiAfPrQ1oGUFeFvbhkumsl4nnZ
	+6yaCPvW4x+uFhJpburo+h0V17WTs8N01q2Kal5ExRo7GLJf0cf5RsXH+ueVMM4o8gIInSUu3
	2dNH5GjGa2g6v68Io/86BiKGrMOtjRc3howALFE5bNLNKfYMIzvgWLpIxJ4qP/ZcbgQvJmPWW
	mnhQVSrxFYW8auu8TB1FbVTi2tUP8dGzszay8i/i91VofV8N6dp9OmWgUAqRChxzkhwQLpvpB
	REsS9zl2ZwvKNFcW+nZdxvqg2M3vZxyxns91K1O2JGOCGSxCiIYkMOCjJpWiHyMzPjHfSnDwj
	g8YKIgH2x9vousYGfmWSQAkqXdWqjZlIzzRs5ORjAY7pFVFLAabfnEOzowmWiCEPw7cvcX0D9
	pMNSx0489MMR39rP9RxN7Kj58xfr1GAgOJQdiP2kN89f0/g+KI92HDQz5Tbv2ZfwXI1X4rrLT
	ddvOtaJw83DEAg8tSA48Db9ssiPVb52hjs/xMfxXMLLVLbcCUTfKG7hN0zMBALgAvndZxjyEs
	xp18nqy+jj0pGHDW6Ey4ThyoBFxYP9G/FrT9iFWP0t7hM=
X-Spam-Status:	No, score=-0.3 required=5.0 tests=BAYES_00, DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GB_FREEMAIL_DISPTO,
	RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H4,
	RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Frank-Ulrich Sommer via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Frank-Ulrich Sommer <f-u DOT s AT gmx DOT net>
Sender:	"Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 4161T9sm030677

Looking at the OpenSSH source code (on Github, not from Cygwin) I found a function "safe_path" that checks that the ownership and access modes for all path components are correct.  This relies on "platform_sys_dir_uid" which checks if a UID may own a system directory. The code checks for UID zero and might also accept an OS specific second value (PLATFORM_SYS_DIR_UID) but for Cygwin this seems not to be set. But I don't know where to find the source code for the excat version that is used in Cygwin and I'm unsure about build settings.

A comment defines this a safe path as follows:
"This is defined as all components of the path to the file must be owned by either the owner of the file or root and no directories must be group or world writable."

The "Users" directory is owned by "SYSTEM" (numeric: 18 according to stat) and only writable by Administrators and SYSTEM. The mode cygwin shows for /cygdrive/c/Users is 0750 which should be OK.

So my question is: are "Administrators" and "SYSTEM" different users and does cygsshd accept SYSTEM (numeric 18) as a valid user who may own system directories? If the numeric ID is really 18 I can't see how this check can succeed but I'm not sure the code used in Cygwin is the same.

On 05.02.2024 00:53, Frank-Ulrich Sommer via Cygwin wrote:
> Hi,
>
> I'm trying to run cygsshd on my PC with Windows 11 and connect from a linux machine. I have added the public key to /cygdrive/c/Users/xxx/.ssh/authorized_keys and created a symbolic link from  /cygdrive/c/Users/xxx/.ssh to /home/xxx/.ssh. As usual I checked the access rights and mode of the .ssh directory (700 and belongs to user xxx) and the authorized_keys file (600 and also belongs to user xxx) and also of the home directory (had to change ownership).
>
> Now I get the following strange messages:
>
> [...]
> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: temporarily_use_uid: 197609/197121 (e=18/18)
> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: trying public key file /home/xxx/.ssh/authorized_keys
> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: fd 5 clearing O_NONBLOCK
> Feb  5 00:35:50 XXXXX sshd: PID 2798: Authentication refused: bad ownership or modes for directory /cygdrive/c/Users
> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: restore_uid: 18/18
> [...]
>
> Why is cygsshd complaining about the Windows "Users" directory and not about the directory of user xxx (/cygdrive/c/Users/xxx)? And how can I solve this?
>
> Frank
>


-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -